Gabriel SERME

Thesis

Aspect Oriented Security for Service Oriented Architectures

Responsible(s)

• ROUDIER, Yves

 

 

constitute a major architectural style for large‐scale infrastructurescross‐boundary functionalities are essential to such compositions: Functionalities that span administrative domains, such as security domains that are governed by Functionalities that span different technological domains, e.g., service infrastructures for fullyproblem of crosscutting, that is, functionalities that are scattered and tangled over large parts of the architectureAspect‐Oriented Software Development [Aks04] is an

2.1. SOA

Service‐oriented architectures (SOAs) are considered as advanced component‐based architectures for

the construction of distributed systems. A service is a software application that can be located over a

network, and whose interfaces and bindings can be defined, described and discovered by using

standardized access means and formats. Services support direct interactions with other software agents

using message exchanges over the network via well‐defined protocols. Service computations are

composed to implement processes, whose specification is done using dedicated workflow languages.

Web Services are a concrete realization of a SOA, which uses XML artifacts and Internet‐based protocols

[WS04, WS05]. The Business Process Execution Language for Web Services (BPEL) ([WS05, part VII] is a

de facto standard for expressing Web Service compositions. The difference between the SOA approach

and traditional approaches using conventional middleware lies in the looser coupling between the

different parts of the distributed system specified. Another key difference is the use of standard and

uniform formats and protocols.

Many efforts have been devoted to the formalization and the reasoning upon processes, as exemplified

by the proceedings of the international workshop "Web Services and Formal Methods" [WSFM05‐07].

More specifically, different formalisms have been applied to BPEL: Petri nets [BPEL‐PN05], Spin, a model

checker [SPIN04, WSAT04], process algebras, like FSP ("Finite State Process") [FSP03], or CCS ("Calculus

of Communicating Systems") [CCS04], for example.

In a SOA, there exist complex interactions among functional, management, and infrastructure interfaces.

Aspect Orientation approaches have been proposed to solve this issue in the context of existing

orchestration services for SOAs (e.g., Padus [BVJ06] and AO4BPEL [CM07]). Similarly, the QoSL4BPEL

approach [BRL08] eases the QoS management in service compositions by the specification of QoS

constraints defined using aspects that result in the modification of BPEL compositions.

2.2. Security

SOA‐related security is a rather recent field of research. Security in SOA has previously been addressed

mainly from an application only point of view, in terms of enforcement of properties like authenticity or

confidentiality of messages, in particular in early SOA middleware (COSS and Jini), then with more acuity

and by handling additional complexity in the case of Web Services. In particular, the loose coupling

assumption of SOA made it necessary for security to be implemented as a service, thereby avoiding

tightly binding security concerns with “unctional”services themselves. Such an architecture avoids

compositional impossibilities. However, even though this approach successfully introduced security in

the SOA arena so far, it also has inherent limitations with respect to the security concerns that can be

addressed. Whereas nothing limits the expressiveness of the Security Assertion Markup Language

(SAML) [CKP+09], an XML‐based standard used to control access, the enforcement of an access control

policy through a unique service makes it essentially unsuitable for cross organizational concerns. It is

becoming apparent that the enforcement of security properties is a fundamental problem that has to be

addressed and that is an inherently crosscutting concern.

It was only recognized in recent years that SOA clients and services are themselves susceptible to various

attacks through the messages exchanged, in addition to classical network‐level attacks or web‐based

attacks. XML rewriting attacks have, for instance, been demonstrated [RRS06, GLS07]. Such concerns can

be partly addressed by a more careful design of communication protocols. However, implementation

bugs are hard to track and deserve to be explored to effectively ensure security enforcement:

vulnerability testing, test case generation, and fuzzing [Bei84, Bei90, GJM94] may be used to that effect,

as well as approaches [CGP06, GKS05, MKK07] aiming to explore the alternative execution paths of an

application to increase the analysis and test coverage of dynamic techniques.

Application gateways also offer an interesting, even though under‐explored architecture for both testing

advanced vulnerabilities and countering attacks. Gateways have for instance been used to inject attacker

patterns and to replay these with some degree of automation. Regarding countermeasures, gateways

have long been used for mitigation as demonstrated by Scott and Sharp's application‐level firewall

[ScSh02]. XML and SOAP firewalls have developed in recent years [Wik09], in particular in form of

network appliances for sanitizing the XML encoding used for REST or SOAP messages before they actually

reach any client or server in a domain, as well as for enforcing access control policies. Still not much has

been done to date with respect to the deployment of such appliances and to exploit their capabilities for

the development of dynamic applications. Furthermore, vulnerability detection and appropriate countermeasures

in the context of cross‐boundary security properties still constitute an open research issue.

3. Thesis topic

The thesis will provide a comprehensive treatment of security functionalities for SOAs in the presence of

horizontal and vertical composition as well as evolution using aspects. Given a specification of security

requirements for a service‐oriented architecture, three problems will be investigated:

•

How to synthesize secure services to satisfy the security requirements.

•

How to certify that the services synthesized effectively satisfy the security requirements.

•

evolutions using aspects.

Aspect Oriented Programming will ease the synthesis of secure composed services by separating security

concerns from other concerns in SOAs, such as its business logic, transaction handling and so forth.

Likewise, the certification of the services synthesized will benefit from AOP, which will be helpful to

automate the control process: AOP can often easily ensure a property by introducing access control or

data flow checks when some condition is detected.

The thesis will also focus on the definition of a formal architecture description language (ADL) for SOAs

with aspects. This ADL will support techniques for the description of functionalities that go across

administrative and technological domains through horizontal and vertical composition of services, as

well as their evolution using aspect‐oriented programming (AOP). It will be formally defined in order to

enable reasoning about correctness properties, specifically security properties.

How to ensure that properties satisfied by a service‐oriented architecture are preserved after

3.1. Language support for service composition with aspects

A large part of the thesis will focus on refining the architectural model by language‐support for specific

kinds of protocol. Concretely, the language should provide the following features:

•

protocols.

Expression of horizontal and vertical compositions using composition operators over service

•

aspect‐aware service interface: aspects may only be applied if aspect applications are enabled

for a service.

Expression of service evolutions using history‐based aspects whose application is governed by

3.2. Language support to express security specifications

A prerequisite to the synthesis of secure services is the definition of a language to express security

specifications. The language will allow the description of expected security properties and security

countermeasures to be adopted in the presence of an abnormal behavior of the system compared with

the initially defined requirements. Means for the definition of security properties in the presence of

aspects will be developed, including property definitions over vertical and horizontal compositions

involving aspect‐aware interfaces. Properties of compositions between large‐scale SOAs and embedded

devices will be handled.

3.3. Property preservation in the presence of aspects

The evolution of SOAs with aspects may break some underlying properties satisfied by the original SOA.

Indeed, many evolutions and hence aspects have to be invasive (to some extent). This task will explore

the impact of the use of aspects to secure SOAs. Aspect‐aware service interfaces will be exploited to

provide strict guarantees on the effects aspect may exert on the different architectural layers, thus

reconciling aspects with the strong encapsulation properties of SOAs.

All the above mechanisms will be applied within the context of Enterprise Service‐Oriented

Architectures, in particular through experiments performed with existing SOA protocols and with use

cases supplied by SAP. In particular, the thesis will produce a methodology for applying the above

mechanisms, and will compare the use of the language supporting the definition of security aspects with

traditional security best practices.

4.

 

and applications that are built from loosely coupled and well separated services and that are subject to

dynamic configuration, manipulation and evolution. SOAs today are the major structuring principle of a

multitude of commercial infrastructures and applications that rely on service composition, in particular

service orchestration, and that are frequently subject to evolution. They span a number of different

organizations, and may involve powerful servers as well as resource‐constrained devices (e.g., mobile

devices). Two types of

 

•

different security policies, e.g., between warehouses and their clients.

 

Service‐oriented architectures (SOAs)

 

 

 

 

 

•

featured service clusters as well as much more limited infrastructures supporting the mobile

devices used by clients to access services.

Similarly to other compositional structuring mechanisms, SOAs are subject to the

functionalities

and of the underlying implementation. Security functionalities, such as access control and monitoring for

intrusion detection, are prime examples of functionalities with this problem: they cannot be properly

modularized, that is, defined as well‐separated modules, especially if they should scale across

administrative or technological domains.

application‐structuring method that addresses the problem of the lack of modularization facilities for

crosscutting functionalities in a systemic way.

The thesis will address this problem and contribute to the French‐funded ANR project CESSA

(“ompositional Evolutions of Secure Services with Aspects”. This project will enable the synthesis of

correct by construction SOA‐based applications and will allow the formal analysis of security properties

of SOAs. It will also demonstrate that security aspects support the secure horizontal (i.e., orchestration

and choreography of services) and vertical composition for Web Service and OSGI based SOAs.

 

2. State of the Art

 

This thesis aims at addressing the problem of evolving large‐scale SOAs based on aspects, in particular

regarding their security models. Such SOAs involve traditional service compositions and refinements. The

following sections briefly discuss the scientific and industrial state of the art of these different fields.